Hydra http connection failed

Question

I want to check my page that only have one ip without hostname(http://ip.ip.ip.ip/dologin.htm)

Now I want to check it for brute force from hydra.

What I tried is:

hydra -l admin  -p admin ip.ip.ip.ip http-post-form "/dologin.htm:P2=^PASS^&Login=:1"

P2: form of password

LOGIN: form of username(This is empty - no user name )

:1: for bad password attempting(doesn't have message for entering bad password)...

So the result is:

When I enter correct password in hydra it says your password is wrong ...

What should I do?

Thanks

Answer 1

The problem is you failur condition (:1).

From the source we can see that the format for option field is as follows:

The option field (following the service field) takes three ":" separated values and an optional fourth value, the first is the page on the server to GET or POST to, the second is the POST/GET variables (taken from either the browser, or a proxy such as PAROS) with the varying usernames and passwords in the "^USER^" and "^PASS^" placeholders, the third is the string that it checks for an invalid or valid login - any exception to this is counted as a success. So please: * invalid condition login should be preceded by "F=" * valid condition login should be preceded by "S=". By default, if no header is found the condition is assume to be a fail, so checking for invalid login. The fourth optional value, can be a 'C' to define a different page to GET initial cookies from.

So you should be able to supply a success condition instead of a fail condition.

Therefore change your :1 to :S=string from the page after successful login.